closed delete all suspicious system accounts, especially those with high authority system accounts for all web directory! Re configure permissions, close the executable directory permissions, the picture and non script directory without authorization processing.

3. system to install the latest patches, of course, all running server software.

after completing the steps above, you need to put the administrator account password, password and database management, especially SQL and MySQL sa password, root password, you know, these accounts are special permissions, hackers can get system permissions through their

1. server is compromised, all web services should be closed immediately, suspended for at least 3 hours.


5. to set a variety of password management, open firewall port filtering.

window the latest patches, then MySQL or SQL database patch, as well as PHP and IIS, Serv-U is not to mention, often a loophole of things, there is some IDC who use virtual host management software, such as N virtual host management software, management software, management software, parties, etc..

web server, generally through the website vulnerability, you need to check the website program (with the above log analysis) for all web sites, can upload and write shell local inspection and strict treatment.

4. for the site directory re configure permissions, delete suspicious accounts closed system.

6. next, you need to deal with the site one by one.

2. download server logs (if not deleted words), and comprehensive anti-virus scanning on the server.


complete the aftermath: install a sniffer and honeypot tool for the server, the server log.

this will cost you almost 1-2 hours, but this is a must do, you must make sure that the hackers did not install a backdoor Trojan on the server, and the analysis of system logs, see hacker is through which website (usually by the website linked to horse may exist holes), which exploits to the server. Find and confirm the source of the attack, and hackers tampering Trojan URLs and black page screenshot saved, and hackers may leave personal IP or IP address.

many webmaster friends may think, no, the site shut down for several hours, that the loss of much ah, but you think, one may be modified by hackers phishing sites to the customer loss, or a closed website? You can put the site temporarily jump to a single page. Write one sentence: Web site maintenance, is expected after 3 hours of open access, please visit later, contact: XXX, you can solve this problem.